首先利用系统sysctl的配置进行防御:

由于系统已经自带一个conf及已经包涵部分安全建议提示,代码行只显示后续增加的变量修改

net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_max_syn_backlog=2048 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_synack_retries=2 net.ipv4.tcp_keepalive_time=3600 net.ipv4.tcp_window_scaling=1 net.ipv4.tcp_sack=1 kernel.exec-shield = 1 kernel.randomize_va_space = 1 fs.file-max = 65535 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.core.netdev_max_backlog = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1
Code language: PHP (php)

利用iptables限制syn:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
Code language: PHP (php)
分类: Linux安全

0 条评论

发表评论

Avatar placeholder

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据